Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 836
  • Last Modified:

Audit Failure event in security logs of Domain controller

Hi,

I am checking some security event logs on the domain controller and what I am seeing is a lot of Audit failure logs. The surprising thing is that these audit failure events are coming from the only computers on the network which are on the same network BUT NOT ON DOMAIN. I am not sureif it is a particular type of bot or virus attack.

Any suggestions?
0
TheCommunicator
Asked:
TheCommunicator
  • 5
  • 4
  • 2
5 Solutions
 
Adam BrownSr Solutions ArchitectCommented:
It depends highly on what type of auditing is going on. Can you post one of the events, please?
0
 
TheCommunicatorAuthor Commented:
It says Login failed. It looks like somebody from this machines is trying to actually login to Domain controller. I am not sure whether this is for real or something else is being masked as Login failure.


I am attaching the snapshot

Audit-Failure.png
0
 
Adam BrownSr Solutions ArchitectCommented:
This site has some more detailed information on that event: http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4625
This could be caused by a service account that is configured to run some software on the computers that are being reported having incorrect credentials. There are also a number of other reasons this could be showing up. Check the Substatus code and compare it to the ones listed at the link I gave and it should give you more information.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
johnb6767Commented:
Any persistent mappings from those systems using domain creds?

0
 
TheCommunicatorAuthor Commented:
Oh yes actually these computers browse to some of the folders on these servers.
0
 
johnb6767Commented:
Id check for stored passwords, that are out of date....
0
 
TheCommunicatorAuthor Commented:
Can you please explain? stored password which are out of date?
0
 
johnb6767Commented:
If these non domain users have mappings that are done to your domain servers, then they might have stored passwords cached in their systems.....

start>run>control keymgr.dll

Check to see if any passwords exist for your servers on one of those systems....
0
 
TheCommunicatorAuthor Commented:
Well, i checked. They do not use any credential manager facility.
0
 
johnb6767Commented:
Whats the Logon Type Code in your errors?

Logon Type Codes Revealed
http://www.windowsecurity.com/articles/Logon-Types.html

Will reveal mnore about the source of the failure....
0
 
TheCommunicatorAuthor Commented:
It is Logon type 3.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 5
  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now